Bastion SSH Tunneling: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
No edit summary
 
(44 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Tunnel==
==Tunnel==
<source lang='bash'>
<syntaxhighlight lang="bash">
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
     [[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
     [[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
Line 13: Line 13:
EOF
EOF
fi
fi
</source>
</syntaxhighlight>


==Tunneling==
==Tunneling==
{|
{|
|valign="top"|
|valign="top"|
<source lang='bash'>
<syntaxhighlight lang="bash" highlight='8,11,12'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
     [[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
     [[ "$(grep -c 'api.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF


# api gateway service
Host api.vpc.chorke.org
Host api.vpc.chorke.org
     HostName api.vpc.chorke.org
     HostName api.vpc.chorke.org
Line 31: Line 32:
     HostKeyAlgorithms +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     User deploy
    LocalForward 1983 localhost:1983
    LocalForward 2013 localhost:2013
    LocalForward 2015 localhost:2015
EOF
EOF
fi
fi
</source>
</syntaxhighlight>


|valign="top"|
|valign="top"|
<source lang='bash'>
<syntaxhighlight lang="bash" highlight='8,11,12'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
     [[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
     [[ "$(grep -c 'app.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF


# web portal service
Host app.vpc.chorke.org
Host app.vpc.chorke.org
     HostName app.vpc.chorke.org
     HostName app.vpc.chorke.org
Line 49: Line 54:
     HostKeyAlgorithms +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     User deploy
    LocalForward 1983 localhost:1983
    LocalForward 2013 localhost:2013
    LocalForward 2015 localhost:2015
EOF
EOF
fi
fi
</source>
</syntaxhighlight>


|-
|-
Line 58: Line 66:
|-
|-
|valign="top"|
|valign="top"|
<source lang='bash'>
<syntaxhighlight lang="bash" highlight='8,11,12'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
     [[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
     [[ "$(grep -c 'rds.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF
         tee -a ${HOME}/.ssh/config >/dev/null <<EOF


# psql database service
Host rds.vpc.chorke.org
Host rds.vpc.chorke.org
     HostName rds.vpc.chorke.org
     HostName rds.vpc.chorke.org
Line 73: Line 82:
EOF
EOF
fi
fi
</source>
</syntaxhighlight>
|valign="bottom"|
|valign="bottom"|
<source lang='bash'>
<syntaxhighlight lang="bash" highlight='2,7,12'>
# ssh private key add to the ssh-agent
# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa


# forwarded key to bastion
# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A api.vpc.chorke.org
Line 88: Line 97:
# manage ssh key from ssh-agent
# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-add -L
ssh-aad -D
ssh-aad -D
</source>
</syntaxhighlight>
 
|}
 
==Example==
{|
|valign="top"|
<syntaxhighlight lang="bash">
ssh-copy-id -i\
${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]
</syntaxhighlight>
 
|valign="top"|
<syntaxhighlight lang="bash">
ssh-copy-id -i\
${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]
</syntaxhighlight>
 
|-
|colspan="2"|
----
|-
|valign="top"|
<syntaxhighlight lang="bash" highlight='9-12'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'vpn.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF
 
# bastion proxy
Host vpn.shahed.biz
    HostName vpn.shahed.biz
    IdentityFile ~/.ssh/vpn.shahed.biz_rsa
    PreferredAuthentications publickey
    PubkeyAcceptedKeyTypes +ssh-rsa
    HostKeyAlgorithms +ssh-rsa
    IdentitiesOnly yes
    User bastion
 
EOF
fi
</syntaxhighlight>
 
|valign="top"|
<syntaxhighlight lang="bash" highlight='8,10-13'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'git.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF
 
# gitlab jenkins
Host git.shahed.biz
    HostName git.shahed.biz
    ProxyCommand ssh -qW%h:%p vpn.shahed.biz
    IdentityFile ~/.ssh/git.shahed.biz_rsa
    PreferredAuthentications publickey
    PubkeyAcceptedKeyTypes +ssh-rsa
    HostKeyAlgorithms +ssh-rsa
    IdentitiesOnly yes
    User jenkins
EOF
fi
</syntaxhighlight>
 
|-
|colspan="2"|
----
|-
|valign="top"|
<syntaxhighlight lang="bash" highlight='6-12'>
if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'Host \*'  ${HOME}/.ssh/config)" == 0 ]];then
        cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null
 
# for all host
Host *
    PreferredAuthentications publickey
    PubkeyAcceptedKeyTypes +ssh-rsa
    HostKeyAlgorithms +ssh-rsa
    ServerAliveInterval 60
    ServerAliveCountMax 20
    IdentitiesOnly yes
    AddressFamily inet
    Compression yes
    LogLevel INFO
    Protocol 2
EOF
fi
</syntaxhighlight>
 
|valign="top"|
 
|}
 
== Knowledge ==
{|
|valign="top"|
sudo systemctl restart sshd
sudo systemctl status  ssh
 
|valign="top" colspan="2"|
<syntaxhighlight lang="bash">
grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config
</syntaxhighlight>
 
|-
|colspan="3"|
----
|-
|valign="top" colspan="3"|
<syntaxhighlight lang="bash">
# regexp simple group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed -z  's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
</syntaxhighlight>
 
|-
|colspan="3"|
----
|-
|valign="top" colspan="3"|
<syntaxhighlight lang="bash">
# regexp complex group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed  -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi
</syntaxhighlight>
 
|-
|colspan="3"|
----
|-
|valign="top"|
'''# add ssh private key to agent'''
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa
'''# forwarded private key'''
ssh -A api.vpc.chorke.org
ssh -A app.vpc.chorke.org
 
|valign="top"|
'''# manage ssh key for ssh-agent'''
ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa
ssh-add -l
ssh-add -D
ssh-add -L
 
|valign="top"|
'''Too many authentication failures'''
ssh-add -l
ssh-add -D
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa
ssh api.vpc.chorke.org
ssh app.vpc.chorke.org
 
|-
|colspan="3"|
----
|-
|valign="top" colspan="2"|
'''too many authentication failures issue'''
ssh -o PreferredAuthentications=password ${USER}@academia.local
ssh -o IdentityAgent=none ${USER}@academia.local
ssh -o IdentitiesOnly=yes ${USER}@academia.local
 
|valign="top"|
Host *.local
      IdentityAgent none
      IdentitiesOnly yes
      PreferredAuthentications password


|}
|}
Line 97: Line 279:
{|
{|
| valign="top" |
| valign="top" |
* [[SSH/Public Key Authentication]]
* [https://stackoverflow.com/questions/25464930/ Remove an SSH Key]
* [https://stackoverflow.com/questions/25464930/ Remove an SSH Key]
* [[SSH Port Forwarding]]
* [[Ubuntu/Raspberry Pi]]
* [[Fedora/Raspberry Pi]]
* [[Fedora/Morefine]]
* [[Raspberry Pi]]
* [[OpenVPN]]
* [[Fedora]]
* [[Bash]]


| valign="top" |
| valign="top" |
* [https://www.ssh.com/academy/ssh/tunneling-example SSH Tunneling: Examples, Command & Server Config]
* [https://unix.stackexchange.com/questions/292038/ Add Multiple Local Forward to <code>~/.ssh/config</code>]
* [https://stackoverflow.com/questions/58270768/ Add Remote Forward to <code>~/.ssh/config</code>]
* [https://serverfault.com/questions/1052158/ Add Local Forward to <code>~/.ssh/config</code>]
* [https://unix.stackexchange.com/questions/58969/ Keys added to ssh-agent with ssh-add]
* [https://www.digitalocean.com/community/tutorials/using-grep-regular-expressions-to-search-for-text-patterns-in-linux Grep & Regular Expressions to Search]
* [https://unix.stackexchange.com/questions/518568/ Restart ssh-agent Without Relogin]
* [[Sed Replace A Multi-Line String]]
* [[AWS CLI|AWS » CLI]]
* [[AWS]]


| valign="top" |
| valign="top" |
* [https://serverfault.com/questions/1159599/ SSH server » Ubuntu » Change the default port]
* [https://stackoverflow.com/questions/4549945/ <code>rsync</code> » Specify a different ssh port]
* [[OpenSSL]]
* [[CIDR]]
* [[UFW]]


|-
|-

Latest revision as of 11:52, 1 November 2024

Tunnel

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'gtw.vpc.chorke.org' ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# bastion ssh tunnel
Host gtw.vpc.chorke.org
     HostName gtw.vpc.chorke.org
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/gtw.vpc.chorke.org_rsa
     User deploy
EOF
fi

Tunneling

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'api.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# api gateway service
Host api.vpc.chorke.org
     HostName api.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/api.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     LocalForward 1983 localhost:1983
     LocalForward 2013 localhost:2013
     LocalForward 2015 localhost:2015
EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'app.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# web portal service
Host app.vpc.chorke.org
     HostName app.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/app.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
     LocalForward 1983 localhost:1983
     LocalForward 2013 localhost:2013
     LocalForward 2015 localhost:2015
EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'rds.vpc.chorke.org'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# psql database service
Host rds.vpc.chorke.org
     HostName rds.vpc.chorke.org
     ProxyCommand ssh -qW%h:%p gtw.vpc.chorke.org
     IdentityFile ~/.ssh/rds.vpc.chorke.org_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     User deploy
EOF
fi

# add ssh private key to the ssh-agent
ssh-add ~/.ssh/app.vpc.chorke.org_rsa
ssh-add ~/.ssh/api.vpc.chorke.org_rsa
ssh-add ~/.ssh/rds.vpc.chorke.org_rsa

# forward ssh key to bastion
ssh -A app.vpc.chorke.org
ssh -A api.vpc.chorke.org
ssh -A rds.vpc.chorke.org 

# manage ssh key from ssh-agent
ssh-add -d ~/.ssh/app.vpc.chorke.org_rsa
ssh-add -l
ssh-add -L
ssh-aad -D

Example

 ssh-copy-id -i\
 ${HOME}/.ssh/vpn.shahed.biz_rsa.pub [email protected]

 ssh-copy-id -i\
 ${HOME}/.ssh/git.shahed.biz_rsa.pub [email protected]

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'vpn.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# bastion proxy
Host vpn.shahed.biz
     HostName vpn.shahed.biz
     IdentityFile ~/.ssh/vpn.shahed.biz_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     IdentitiesOnly yes
     User bastion

EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'git.shahed.biz'  ${HOME}/.ssh/config)" == 0 ]];then
        tee -a ${HOME}/.ssh/config >/dev/null <<EOF

# gitlab jenkins
Host git.shahed.biz
     HostName git.shahed.biz
     ProxyCommand ssh -qW%h:%p vpn.shahed.biz
     IdentityFile ~/.ssh/git.shahed.biz_rsa
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     IdentitiesOnly yes
     User jenkins
EOF
fi

if  [[ -f ${HOME}/.ssh/config ]]&&[[ -s ${HOME}/.ssh/config ]]&&
    [[ "$(grep -c 'Host \*'  ${HOME}/.ssh/config)" == 0 ]];then
        cat <<EOF | tee -a ${HOME}/.ssh/config >/dev/null

# for all host
Host *
     PreferredAuthentications publickey
     PubkeyAcceptedKeyTypes +ssh-rsa
     HostKeyAlgorithms +ssh-rsa
     ServerAliveInterval 60
     ServerAliveCountMax 20
     IdentitiesOnly yes
     AddressFamily inet
     Compression yes
     LogLevel INFO
     Protocol 2
EOF
fi

Knowledge

sudo systemctl restart sshd
sudo systemctl status  ssh

grep -c '^#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)$' ./sshd_config
grep -c '^#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)$' ./sshd_config

# regexp simple group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed -z  's/#[ ]*GatewayPorts[ ]*\(no\|yes\|clientspecified\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi

# regexp complex group & escaping
if  [[ -f /etc/ssh/sshd_config ]]&&[[ -s /etc/ssh/sshd_config ]]&&
    [[ "$(grep -c '#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)' /etc/ssh/sshd_config)" == 1 ]];then
        sed  -z 's/#[ ]*GatewayPorts[ ]*\(\(no\)\|\(yes\)\|\(clientspecified\)\)/GatewayPorts yes/' -i /etc/ssh/sshd_config
fi

# add ssh private key to agent
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa

# forwarded private key
ssh -A api.vpc.chorke.org
ssh -A app.vpc.chorke.org

# manage ssh key for ssh-agent
ssh-add -d ~/.ssh/gtw.vpc.chorke.org_rsa

ssh-add -l
ssh-add -D
ssh-add -L

Too many authentication failures
ssh-add -l
ssh-add -D
ssh-add ~/.ssh/gtw.vpc.chorke.org_rsa
ssh api.vpc.chorke.org
ssh app.vpc.chorke.org

too many authentication failures issue
ssh -o PreferredAuthentications=password ${USER}@academia.local
ssh -o IdentityAgent=none ${USER}@academia.local
ssh -o IdentitiesOnly=yes ${USER}@academia.local

Host *.local
     IdentityAgent none
     IdentitiesOnly yes
     PreferredAuthentications password

References

Retrieved from "https://cdn.chorke.org/weke/index.php?title=Bastion_SSH_Tunneling&oldid=13206"